2048 Bit DKIM Keys: Enhanced Protection for Your Email ProgramDenis O'Sullivan
Due to the countless bad actors in the email space, valid senders need to go above and beyond to prove themselves legit. One of the ways senders can authenticate themselves is through DomainKeys Identified Mail (DKIM), a cryptographic technology that uses a public key and a private key to verify that the sender of the email is responsible for the corresponding domain.
For years, the standard key length was 1024 bit DKIM keys, but hackers continue to develop new methods to break DKIM keys.
We’re excited to announce that Twilio SendGrid now uses 2048 bit keys!
As a result, the National Institute of Standards and Technology (NIST) recommends 2048 bit keys. To ensure our senders have the best possible protection in place, we’re excited to announce that Twilio SendGrid now uses 2048 bit keys.
1024 bit vs. 2048 bit DKIM keys
A 1024 bit DKIM refers to the key length of 1024 characters. The longer the key length, the more challenging it is for hackers to break the DKIM key. For several years, the standard was the 512 bit. However, it became very apparent that the 512 bit keys were vulnerable and easily cracked.
While the 1024 bit is far more secure, it’s incredibly important to stay ahead of the game when securing your emails. Many experts believe the 1024 bit will become vulnerable over the next few years.
Enter 2048 bit keys. With double the key length, 2048 bit keys provide enhanced tampering protection with the strongest signing for automated security domain authentication. The 2048 bit keys are secure against forms of cryptographic attacks for the next several years.
Is 2048 bit widely supported?
This is a common question since the key length is double that of 1024 bit keys. Some domain name system (DNS) providers have limits on the number of characters, although most fully support the key length of 2048 bit keys. Those DNS providers that don’t support 2048 bit keys have unique workarounds, so it’s worth reaching out to them to discuss different solutions.
Set up 2048 bit DKIM keys for your Twilio SendGrid account
Whenever automatic security in your Twilio SendGrid account creates a new DKIM key, it will be a 2048 bit key. A new DKIM key generates with every new selector.
However, existing domain authentication configurations and selectors will not change automatically. For example:
- If you create a new domain authentication, but it uses the same default s1 selector as a previous 1024 bit key, it will reuse the 1024 bit key.
- If you have an existing 1024 bit key, then you’ll need to pick a custom unused selector when creating the new domain authentication to generate a new 2048 bit key.
In your Twilio SendGrid account, go to “Settings” and “Sender Authentication” to create or update your DKIM key (as shown in the image below).
Exception: Manual security will not use 2048 bit
Manual security domain authentications in your Twilio SendGrid account will continue to use 1024 bit keys, even if it is a brand-new domain authentication. Due to its strength, DNS providers don’t always support 2048 bit DKIM keys. That’s why we ask you to put the raw DKIM key on the provider when you implement manual security, because there’s a risk that the provider won’t accept it.
When you set up automatic security, Twilio SendGrid stores the DKIM key on our DNS provider (who we know supports 2048 bit DKIM keys), and you point your DNS to our DNS.
For more information on setting up 2048 bit keys for your account, go to our docs article, Migrating to 2048 Bit DomainKeys Identified Mail (DKIM).
Protect your email program with 2048 bit keys
Unfortunately, hackers aren’t going away anytime soon. You must stay one step ahead of bad actors at all times to keep your email secure. Implementing 2048 bit DKIM keys will ensure you take all the necessary steps to protect your domain and email reputation.
Learn how to set up 2048 bit keys for your Twilio SendGrid account, or learn more about account security best practices.